It all depends on who will be accessing the services and how. If you
mean open VNC, Terminal services etc up to the internet and the rest
of the world, then I cant stress enough how bad of an idea this is.
The amount of VNC and terminal services issues that have been
released recently would make me think twice about running them on a
closed LAN let alone the internet.

Having said that if you plan on having your users VPN into your
network and THEN allowing them access to VNC, terminal services etc.
That's probably the easiest way to admin Windows servers remotely and
reasonably securely and it shouldn't hurt the users on dialup too
much.

So basically the ideal setup I would recommend would be this

Users establish a VPN connection to your site using either a VPN
device like Cisco's concentrator 3000 series or even a UNIX box with
IPSec.
Once they are authenticated into your network they are assigned an IP
local to your network from a pool of IP's with restricted access (
restricted to what you want to allow the remote people to do ).

- From there setup firewall/router ACL's to allow these IP's ( and only
these IP's ) to the machines running VNC, Terminal services etc.

Alternatively you could look into some KVM over IP products. We use
Avocent http://www.avocent.com/web/en.nsf for all of our NT Boxes.
The client is a bit of a bandwidth hog though so using remotely may
be out of the question for dial up users, however having a single VNC
box on your network with the DSView client on it may make the
situation more manageable for you.

This email was just a quick very rough idea outline, if you need/want
a more clear image of what I was thinking just let me know.

I have recently been assigned to join efforts with our Network group
in coming up with a secure remote access solution for our Network.
This will involve accessing servers in our DMZ. I was wondering if
this securityfocus community could elaborate on how secure VNC,
Freevision or Terminal Services are or better yet recommend another
solution.
Any comments would be greatly appreciated.

Relevant Pages

Re: Terminal Services Auditing?...Zebedee adds another layer of encryption, authentication, and ... not the network IP address making the ...connection, in the terminal services manager for that connection. ...(Focus-Microsoft)

Re: Security Breached... I have a typical home network that looks like this: ... on both the DMZ and port forward questions. ... I have the vnc port blocked at the router so I presumed it was safe to ... they done it port forwarding over SSH (if your assumption of only SSH ...(alt.computer.security)

Re: Security Breached... I have a typical home network that looks like this: ... I have the vnc port blocked at the router so I presumed it was safe to ... they done it port forwarding over SSH (if your assumption of only SSH ...(alt.computer.security)

Re: vpn to either xp pro or 2000 pro desktop... drives/machines outside each network..... I can have her log into her machine with the same vnc viewer over the vpn..... have to install PRO on the laptop also or does that matter? ...(microsoft.public.windowsxp.work_remotely)